Friday, April 11, 2014

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Oh come now. What could be wrong with allowing the worst security breach in history to continue for two years for its own convenience? They're trying to protect us. Oh wait ...

I shouldn't be so flippant about this. If this story is true it should be the last straw. This is a perfect example of the intelligence agencies' belief that their "mission" is so all-important that they can use any means necessary. The culture of these bureaucracies inevitably leads to this sort of thing.

...they've been so walled off from the American body politic that they have no idea when they're saying things that sound tone-deaf. Like expats returning from a long overseas tour, NSA staffers don't quite comprehend how much perceptions of the agency have changed. The NSA stresses in its mission statement and corporate culture that it "protects privacy rights." Indeed, there were faded banners proclaiming that goal in our briefing room.

I think it's not just how they sound. It's what they do as well..

The NSA spokesperson has now denied they knew about it. But one can certainly understand why people might be skeptical. It's not as if their grand commitment to privacy rights has prevented them from exploiting security vulnerabilities in the past:

Like any government agency, the NSA hires outside companies to help it do the work it's supposed to do. But an analysis of the intelligence community's black budget reveals that unlike most of its peers, the agency's top hackers are also funneling money to firms of dubious origin in exchange for computer malware that's used to spy on foreign governments.

This year alone, the NSA secretly spent more than $25 million to procure "'software vulnerabilities' from private malware vendors," according to a wide-ranging report on the NSA's offensive work by the Post's Barton Gellman and Ellen Nakashima.

Companies such as Microsoft already tell the government about gaps in their product security before issuing software updates, reportedly to give the NSA a chance to exploit those bugs first. But the NSA is also reaching into the Web's shadier crevices to procure bugs the big software vendors don't even know about — vulnerabilities that are known as "zero-days."

This is a culture that sees its mission a paramount. The consider themselves as some kind of cyber-ninjas who need to use every means possible to complete it. It's very easy to imagine they might just let a little useful security hold slide for a while.

Who knows? But it's certainly worth noting that at this point it's fairly easy top believe they could do this. Their reputation precedes them.

The White House said Friday that when the government uncovers a Heartbleed-like bug, "it is in the national interest" to notify developers — "unless there is a clear national security or law enforcement need."